On January 23, 2013, the Federal Financial Institutions Examination Council (FFIEC) published proposed guidance to supervised institutions regarding social media use. The proposed guidance reminds financial institutions that they must comply with consumer protection laws when they engage in regulated activities over social media, but does not dwell on how an institution must comply with particular compliance obligations in the social media context. Rather, the guidance is meant to highlight the broader compliance, reputational, and operational risks that institutions should address within their risk management programs.
First, What Is Social Media?
The proposed guidance recognizes that “social media” is still a somewhat nebulous concept, but defines it as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.” For example, social media includes micro-blogging sites, such as Facebook, Google Plus, MySpace, and Twitter; forums, blogs, and customer review sites, such as Yelp; photo and video sites, such as Flickr and YouTube; professional networking sites, such as LinkedIn; virtual worlds, such as Second Life; and social games, such as FarmVille and CityVille. Generally speaking, social media tends to involve more interactive communication than other forms of online media.
Compliance with Consumer Protection Laws: No Exceptions for Social Media
Much of the proposed guidance is devoted to addressing compliance and legal risks under particular consumer protection laws (e.g., the Truth-in-Lending Act, the Fair Debt Collection Practices Act, the Equal Credit Opportunity Act, the Real Estate Settlement Procedures Act). The takeaway is that these laws continue to apply in full even to activities and interactions that occur over social media. For example, the guidance specifies that if a creditor receives an application through social media, it must comply with the notification timelines set forth in Regulation B, just as if it had received the application through a more traditional channel. Similarly, if a creditor advertises credit products through social media, the social media advertisement must comply with the Truth-in-Lending advertising requirements set forth in Regulation Z.
Risk Management Program Expectations
In addition to compliance and legal risks, the proposed guidance also addresses reputation risk and operational risk. For example, the FFIEC suggests that in order to control risks to the financial institution’s reputation, an institution should maintain policies, procedures, and controls to monitor and address: (i) fraudulent use of the financial institution’s brand (e.g., “phishing”); (ii) the institution’s ability to manage and oversee third parties that provide social media services to the institution; (iii) consumer privacy concerns; and (iv) employee communications over social media (including over personal accounts). With respect to operational risk (i.e., “the risk of loss resulting from inadequate or failed processes, people, or systems”), the FFIEC refers institutions to existing information technology guidance, including the FFIEC Information Technology Examination Handbook.
The FFIEC notes that these risks should be considered within the institution’s broader risk management program. According to the proposed guidance, such a program should include at least the following components:
- A clear governance structure that enables management to consider how social media contributes to the strategic goals of the institution and establishes controls and ongoing risk assessment with respect to social media use;
- Policies and procedures regarding the use and monitoring of social media and compliance with applicable requirements (including methods to address risks from online postings, edits, replies, and retention);
- Due diligence processes for managing third-party service provider relationships related to social media;
- Employee training for business use of social media (and potentially for other uses as well), including with respect to impermissible activities;
- Monitoring information that is posted to proprietary social media sites;
- Audit and compliance functions; and
- Periodic reporting to enable management to evaluate the social media program’s effectiveness and compliance.
Request for Comment
In addition to inviting public comment on “any aspect of the proposed guidance,” the FFIEC requested responses to the following specific questions:
1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
3. Are there any technological or other impediments to financial institutions’ compliance with otherwise applicable laws, regulations, and policies when using social media of which the FFIEC should be aware?
Comments are due on or before March 25, 2013.
The proposed guidance recognizes that social media can be a valuable business tool that offers financial institutions new ways to interact with their customers and other consumers. But the FFIEC stresses that this “dynamic environment” inevitably creates risks—both to the institution and to consumers—that supervised institutions are expected to manage. Complex issues related to business and personal uses of social media can be difficult to manage, especially in a highly regulated industry. The proposed guidance is just a start, but sets forth the broad outlines of a risk management framework.